An Insider’s View on Product Management

June 14, 2009

Developers, developers, developers, developers

It’s all about developers, developers, developers and developers. Steve Balmer put it better than anybody during his memorable performance where he was jumping around on stage or recently at MIX08.

What’s at stake?

Don’t get fooled by Steve Balmer, there is more to it than just a dance. Indeed any platform is only as good as the applications running on it. There is hardly anything new to this. You can build the most intuitive, powerful, robust and scalable platform in the world. It means nothing until you get applications that can take advantage of those capabilities and bring value to the end-users.

The demise of NeXT Computer

The best example is the raise and demise of NeXT Computer. When NeXT released its first computer in 1989, the operating system was second to none. It was crushing the competition and dwarfed Apple and Microsoft offerings. The OS was brilliant, robust and was swarming with innovations way ahead of his time. The hardware? Powerful, slick and stylish. In 3 words: a dream machine… As for marketing, the charismatic Steve Jobs was wowing crowds at conferences around the world. What could possibly go wrong?

Well, everybody was in awe but nobody would buy it. Granted the hardware was expensive at $6000 for a box but that should not stop people to pay if they see value in it. People pay for Mac even if they are twice more expensive than PCs because they judge it’s worth it. In fact the major issue for NeXT was really the lack of applications – NeXT never bothered to attract developers until it was already too late and some industry insiders even touted them as arrogant. They thought developers would come on their own, but they never did. As a result the public never bought the machines because it could not do anything useful for them and the company died from lack of applications.

Steve Jobs won’t get caught twice

Since then, Apple’s CEO has learned his lesson. The iPhone success can be attributed to its operating system, its well designed hardware, and the marketing genius of the Cupertino’s giant. However Steve Jobs, this time is well aware that Apple supremacy can be ephemeral and smart phones are an excellent base for distributing applications. To get more market shares and consolidate their position Apple needed to provide the most value-add above any other phones. Indeed in July 2008, Apple launched the App Store program to sell third-party applications for iPhone and iTouch. The store has been successful beyond expectations – they reached last winter their first Billion applications download in less than a year. Naturally, the competition has finally woken up and is trying to catch up. Nokia, Research in Motion, Palm, Google and Microsoft have all launched or announced their own version of the store.

The war is raging

If we look around us, the war for developers is raging and is all but limited to the mobile market – it’s all over the internet and has never been as intense. Companies small and big are exposing Open APIs, providing SDKs and creating developer communities. Indeed, the stakes are colossal for those who want to control the technologies of tomorrow:

  • Cloud supremacy: Microsoft Azur, Google App Engine, Amazon EC2 or somebody else?
  • Social Media dominance:  Facebook and its 50,000 applications or MySpace, Open Social, and others?
  • Rich Interface Application (RIA) control: Microsoft Silverlight, Adobe Flash, Sun FlashFX or will developers stick with AJAX?

Make developers a priority

Undeniably today more than ever, third-party developers have become strategic assets for companies. Thus, product managers should prioritize developer programs in their business strategy (when adequate for their product line). Yet, such requirements are too often discarded because not contributing directly to the bottom line – it’s well known that developers are cheap and don’t pay. In consequence companies are running the risk of missing incredible opportunities or to get caught unguarded as competition has already made its move.


April 26, 2009

On OAuth vulnerability and open standards

Filed under: Product Management,Technology — Gregory @ 7:51 pm
Tags: , , ,

OAuth is the protocol of choices for delegating authorization access in the Open APIs world. As a user it allows me to share private resources stored on one site with another site without having to hand out my username and password. The protocol is commonly supported by companies like MySpace, Google, Yahoo and Twitter on their Open APIs. Last week, a vulnerability was discovered in the OAuth protocol. The identified security threat is known as a session fixation attack. You can find more details about the attack’s specificities in Eran Hammer-Lahav’s excellent post. The Oauth community reacted quickly and did a fantastic job in handling the situation. It was an impressive display of individuals, small and big companies working together for solving the issue. Among the heroes, Eran masterfully coordinated the community’s response; Twitter generously accepted to shut down its OAuth service, and take the blame from its users’ base to avoid suspicions. Google, Yahoo and others offered time and resources to help solving the problem… The story is better told in Marshall Kirkpatrick’s blog.

On the other hand, the incident also showcased the difficulties in managing serious incidents for open standards. When the vulnerability was first identified and acknowledged, there were no procedures in place to alert the community and manage the issue. OAuth’s website contains a list of companies that have implemented the protocol, but this list is incomplete and does not contain contact information. Consequently, the initial alert sent by email missed numerous companies; some companies were not listed or contacts information were incorrect. Similarly there were no designated leaders to drive the community response. Fortunately Erin stepped up to the task and others followed suit.

A related issue for open standards, is the lack of enterprise vendors’ support. Traditional software vendors -Microsoft, IBM, Oracle…- do not offer commercial implementations for OAuth and do not contribute to the specification. An enterprise software architect who wants to add OAuth support, does not have many options and often ends up directly reusing the open source libraries developed by the community, even if his team misses security knowledge and training to use the libraries properly. As a result there are almost as many OAuth powered services as there are -slightly- different implementations of the protocol. This raises some valid security concerns… By contrast, an enterprise willing to support other trust protocols such as SAML and WS-Trust can rely on structured standard organizations and a variety of vendors. In case of incidents, the enterprise can also be assured that processes are in place to cope with the situation and that communication channels are properly defined.

In conclusion, because of OAuth members’ dedications, the incident of last week ended up as a great and inspiring story. However this episode also outlined some of the weaknesses and sometimes relative immaturity of open standards. OAuth clearly suffers from a lack of processes to respond to urgent situations, as well as a lack of support from recognized software vendors. Those vendors are primordial to bring legitimacy to standards protocols and to define proper governance processes in case of incidents. Until governance and maturity issues are addressed, OAuth will have trouble to prosper and get adopted beyond the Web 2.0 crowd… and enterprises should be careful, before jumping too fast on the bandwagon.

Create a free website or blog at